From 8e76ef88f607174082023f50b87fe12dcdbe5db5 Mon Sep 17 00:00:00 2001 From: Martin Sperl Date: Sun, 10 May 2015 07:50:45 +0000 Subject: [PATCH 1/2] spi: fix race freeing dummy_tx/rx before it is unmapped MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix a race (with some kernel configurations) where a queued master->pump_messages runs and frees dummy_tx/rx before spi_unmap_msg is running (or is finished). This results in the following messages: BUG: Bad page state in process page:db7ba030 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x200(arch_1) page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set ... Reported-by: Noralf Trønnes Suggested-by: Noralf Trønnes Tested-by: Noralf Trønnes Signed-off-by: Martin Sperl Signed-off-by: Mark Brown Cc: stable@vger.kernel.org --- drivers/spi/spi.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index 50910d85df5a..d35c1a13217c 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -988,9 +988,6 @@ void spi_finalize_current_message(struct spi_master *master) spin_lock_irqsave(&master->queue_lock, flags); mesg = master->cur_msg; - master->cur_msg = NULL; - - queue_kthread_work(&master->kworker, &master->pump_messages); spin_unlock_irqrestore(&master->queue_lock, flags); spi_unmap_msg(master, mesg); @@ -1003,9 +1000,13 @@ void spi_finalize_current_message(struct spi_master *master) } } - trace_spi_message_done(mesg); - + spin_lock_irqsave(&master->queue_lock, flags); + master->cur_msg = NULL; master->cur_msg_prepared = false; + queue_kthread_work(&master->kworker, &master->pump_messages); + spin_unlock_irqrestore(&master->queue_lock, flags); + + trace_spi_message_done(mesg); mesg->state = NULL; if (mesg->complete) From 4b786458ed99eae9e9d9984a1624a79e9bf6cebb Mon Sep 17 00:00:00 2001 From: Martin Sperl Date: Mon, 25 May 2015 10:13:10 +0000 Subject: [PATCH 2/2] spi: restore rx/tx_buf in case of unset CONFIG_HAS_DMA The case where spi_master sets the flags SPI_MASTER_MUST_RX/TX while CONFIG_HAS_DMA is unset (which is unlikley) together with a driver that reuses spi_messages with rx/tx_buff set to NULL, can result in: * data disclosure over the SPI (for tx_buf == NULL) * memory corruption (for rx_buf == NULL) This happenes when dummy_rx/dummy_tx are changing address due to krealloc or free and an allocation of the memory by a different part of the kernel. Signed-off-by: Martin Sperl Signed-off-by: Mark Brown --- drivers/spi/spi.c | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index d35c1a13217c..cf8b91b23a76 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -571,7 +571,7 @@ static int __spi_map_msg(struct spi_master *master, struct spi_message *msg) return 0; } -static int spi_unmap_msg(struct spi_master *master, struct spi_message *msg) +static int __spi_unmap_msg(struct spi_master *master, struct spi_message *msg) { struct spi_transfer *xfer; struct device *tx_dev, *rx_dev; @@ -583,15 +583,6 @@ static int spi_unmap_msg(struct spi_master *master, struct spi_message *msg) rx_dev = master->dma_rx->device->dev; list_for_each_entry(xfer, &msg->transfers, transfer_list) { - /* - * Restore the original value of tx_buf or rx_buf if they are - * NULL. - */ - if (xfer->tx_buf == master->dummy_tx) - xfer->tx_buf = NULL; - if (xfer->rx_buf == master->dummy_rx) - xfer->rx_buf = NULL; - if (!master->can_dma(master, msg->spi, xfer)) continue; @@ -608,13 +599,32 @@ static inline int __spi_map_msg(struct spi_master *master, return 0; } -static inline int spi_unmap_msg(struct spi_master *master, - struct spi_message *msg) +static inline int __spi_unmap_msg(struct spi_master *master, + struct spi_message *msg) { return 0; } #endif /* !CONFIG_HAS_DMA */ +static inline int spi_unmap_msg(struct spi_master *master, + struct spi_message *msg) +{ + struct spi_transfer *xfer; + + list_for_each_entry(xfer, &msg->transfers, transfer_list) { + /* + * Restore the original value of tx_buf or rx_buf if they are + * NULL. + */ + if (xfer->tx_buf == master->dummy_tx) + xfer->tx_buf = NULL; + if (xfer->rx_buf == master->dummy_rx) + xfer->rx_buf = NULL; + } + + return __spi_unmap_msg(master, msg); +} + static int spi_map_msg(struct spi_master *master, struct spi_message *msg) { struct spi_transfer *xfer;